[Bug]:

[felixlabrot]

General Info

• I didn't add any mods
• I can reproduce this issue consistently in single-player
• I can reproduce this issue consistently in multi-player
• I have searched for this issue previously and it was either (1) not previously reported, or (2) previously fixed and I am having the same problem.
• I am crashing and can provide my crash report(s)
• I am using the latest version of the modpack

Your launcher

AMP

Modpack version (Do not say latest check curseforge has it on modpacks icon)

1.11

Describe your issue

From dependencies this modpack is vulnerable to CVE-2021-44228, CVE-2021-45046, CVE-2021-44832, 2021-A-0573, 2021-A-0598, 0001-A-0650
CVE: CVE-2021-45105.
Log4J must be upgraded to 2.24.0 or later to prevent any further known vulnerabilities.
Currently there are versions 2.11.2 and 2.15.0 in use.

Steps to reproduce the issue

No response

Additional Information

[Gunner76th]

This is something you would need to address with the Forge authors. There is nothing we can do about this as those are forge library files. This would probably also apply to every modpack currently in existence on all repositories (Curseforge, FTB, ATLauncher, Technic, ...)

While we thank you for the information, this isn't something we can action on or fix ourselves. This is an issue that can only be addressed by Forge as it appears to affect all current releases of Forge for all versions of Minecraft. Forge 1.21.3-53.0.25 is using Log4j-core-2.22.1

While there is a mod that mitigates CVE-2021-442288 and CVE-2021-45046, it does not address any of the other CVE you mentioned. Additionally, Forge has already addressed CVE-2021-442288 as noted in their change log for 36.2.20 (RAD 2 1.11 and 1.12 is on 36.2.39

https://maven.minecraftforge.net/net/minecraftforge/forge/1.16.5-36.2.42/forge-1.16.5-36.2.42-changelog.txt

I suggest reaching out to Forge themselves and working with them to resolve this issue or working with the authors of the mod Log4JPatcher

Again, while we thank you for bringing this to our attention, there is nothing at all we can do about this, as this involves core Forge files.

[Gunner76th]

Discord for Forge: https://discord.com/invite/UuM6bmAjXh

Information for joining the CreeperHost discord: https://www.creeperhost.net/wiki/books/creeperpanel/page/live-chat-using-discord

[felixlabrot]

For documentation purposes I'll add the report to CreeperHost here: CreeperHost/Log4jPatcher#9

I will inform Forge later after checkin with the latest RAD2 version. The only real fix for this is to upgrade to recent libraries and not patching old libraries. This is less work than manually fixing something. Also manually half-fixing something instead of upgrading dependencies is not a valid thing to do to maintain security certifications for datacenters. Using a horribly outdated library is in itself a finding. And especially with Log4J we have to be extra cautious as we have seen what this bug was able to do.

Thank you for your insights. I will get this fixed with Forge so you can upgrade to the latest Forge version where this hopefully has been resolved.